Protect Office 365 and more with EMS · •App access control –PIN or credentials •Save...

MICROSOFT 365

Protect Office 365 and

more with EMS

Jan Ketil Skanke – Enterprise Mobility MVP

COO and Principal Cloud Architect @CloudWay

MICROSOFT 365

Jan Ketil Skanke

MVP Enterprise Mobility

Partner and Princial Cloud Architect

CloudWay

Twitter: @JankeSkanke

MICROSOFT 365

How good is your security?

MICROSOFT 365

Challenges in defense/security management

Identity-based attacks are up 300% this year

Lack of knowledge of available controls and which are most effective

Unable to benchmark against other organizations

Most enterprises report using more than 60 security solutions

Information is your most attractive target

Many different controls

Many different places to configure controls

96% of malware is automated polymorphic

Eroding coverage of controls

MICROSOFT 365 Assess your current situation

https//securescore.microsoft.com

MICROSOFT 365

Guidance to increase your security levelLearn what security features are available to reduce risk while helping you balance productivity and security

Insights into your security positionOne place to understand your security position and what features you have enabled

Score-based frameworkCalculates a security score based on current security settings and behaviours and compares it to a baseline asserted by Microsoft

Secure Score

MICROSOFT 365 Identity Secure Score

MICROSOFT 365 Enable controls through Secure Score

Get more details and enable control or take you to where you can enable

MICROSOFT 365 How scores get calculated

Nightly process collects telemetry from workloads

Ignore and 3rd party information is stored in another location

Reviewing report data is anonymized and store separately

Azure Active

Directory

Secure Score UIAPI to

Data Store

Workload Data

for Secure Score

Event Hub

Secure Score

Worker Process

Workload

Data Stores

Reporting

Actions Data

Ignore and 3rd

Party Action Data

MICROSOFT 365

Identity Based Approach

MICROSOFT 365

Device Trust

MICROSOFT 365

Device Trust

MAM vs MDM?

MICROSOFT 365

Device Trust

MAM vs MDM?

Health and Compliance?

MICROSOFT 365

Device Trust

MAM vs MDM?

Health and Compliance

Data Security

MICROSOFT 365

Identity Based Security

Identity driven approach

MFA / Conditional Access

Can we trust their device?

Who and What are accessing your data?

MICROSOFT 365

Enable self-help for more predictable

and complete end user security

Increase your awareness with

auditing and monitor security alerts

Automate threat response

Reduce your attack surface

Strengthen your credentials

Blocking legacy authentication

reduces compromise by 66%.

Implementing risk policiesreduces compromise by 96%

Attackers escape detection inside a victim’s

network for a median of 101 days. (Source: FireEye)

60% of enterprises experienced social

engineering attacks in 2016. (Source: Agari)

MFA reduces compromise by 99.99%

Getting the basics rights

MICROSOFT 365

“Less than 2% of tenant admins have MFA enabled”

MICROSOFT 365

Secure Privileged Access

• Create a “Break The Glass” account

• Setup MFA on “all” Privileged roles

• Use AAD Privileged Identity MGMT

• Monitor usage – Alerting

MICROSOFT 365

Secure ALL your users

Enable MFA the Right Way

Use Conditional Access

Protect ALL your apps

Trust on Device Level

Risk Based Policies

MDATP and AAD Identity Protection

MICROSOFT 365 Conditional Access

Allow Access

Block Access

Cloud Apps

On-premises

Conditions

Actions

Enforce MFA per

user/per app

Location (IP Range)

Device State

User Group

MICROSOFT 365

What about those Oauth Apps?

MICROSOFT 365

What about those Oauth Apps?

MICROSOFT 365

SO WHO IS ACCESSING YOUR COMPANY DATA?

MICROSOFT 365

Controlling Oath Apps with MCAS

MICROSOFT 365

Moving to Device Trust

MICROSOFT 365 Configure Conditional Access

Require MFA for all unknown Windows devicesRequire Managed App on Mobile

Zero Trust Network: No need to trust your local network.

Enable Baseline Policy for Admins

Block Legacy Auth with Policy

MICROSOFT 365

Work-owned devices Personal devices

Trusted by virtue of domain

join or complianceTrusted if device complies

with MDM policyTrusted if device/app complies

with Intune policy

MICROSOFT 365

Utilize Microsoft Intune

Setup Configuration Policies

Setup Compliance Policies

Compliant Device

CorporateNetwork

Geo-location

MicrosoftCloud App SecurityMacOS

Android

Windows

WindowsDefender ATP

Client apps

Browser apps

Google ID

Azure AD

RequireMFA

Allow/blockaccess

Block legacyauthentication

Forcepasswordreset

******

Limitedaccess

Controls

Employee & PartnerUsers and Roles

Trusted &Compliant Devices

Physical &Virtual Location

Client apps &Auth Method

Conditions

Machine

learning

Policies

Real timeEvaluationEngine

SessionRisk

Effectivepolicy

MICROSOFT 365

Conditional Access

MICROSOFT 365

Intune App Protection for Mobile Devices

MICROSOFT 365

Why Intune App Protection for Mobile Devices

MICROSOFT 365

Without Enrollment

MICROSOFT 365

Without Enrollment

MICROSOFT 365

Without Enrollment

MICROSOFT 365

Without Enrollment

MICROSOFT 365

Without Enrollment

MICROSOFT 365

Without Enrollment

MICROSOFT 365

Without Enrollment

MICROSOFT 365

Intune App Protection Policies (APP)

Personal apps

Corporate apps

MDM policies

Comprehensive protection

• App encryption at rest

• App access control – PIN or credentials

• Save as/copy/paste restrictions

• App-level selective wipe

MDM mgmt. by Intune or third-party is optional

Might be a good solution for these scenarios:

• BYOD when MDM is not required

• Extending app access to vendors and partners

• Already have an existing MDM solution

MAM policies

MDM – optional (Intune or 3rd-party)

MICROSOFT 365

What do we need?

MICROSOFT 365

The Broker App(s) 2

MICROSOFT 365

Conditional Access Policies

ENFORCE MFA

MICROSOFT 365 3

ENFORCE MFA

MICROSOFT 365

security.microsoft.com

MICROSOFT 365 Intune Security Tasks

Intune Admin get tasks assigned from SecOps

Integrated with Microsoft Defender ATP

MICROSOFT 365

Log Analytics

Export logs to Log Analytics

Store logs in Storage Account

Stream to Event Hub (forward to SIEM)

MICROSOFT 365

Logs logs logs

MICROSOFT 365

Thank You

Remember to evaluate my

session

Protect Office 365 and more with EMS · •App access control –PIN or credentials •Save...

Documents

Transcript of Protect Office 365 and more with EMS · •App access control –PIN or credentials •Save...

Intune 150228

Harmony intune final

Microsoft Intune and Epic Apps FINAL · The management console is a Silverlight app, so your browser must support Silverlight. Adding an app to Microsoft Intune is done by using a

MicrosoftC. Microsoft Intune Agent Settings D. Microsoft Intune Center Settings Answer: A Explanation: Microsoft Intune Policies are groups of settings that control features on mobile

NHSmail Intune Service

datasheet appdome for microsoft intune.20180905...2018/08/22 · App SDK into native and hybrid mobile apps, providing organizations immediate mobile app management and security in

Windows Intune for G Cloud - download.microsoft.com · Service Definition The name of the service is “Windows Intune”. 1. AN OVERVIEW OF THE WINDOWS INTUNE SERVICE What is Windows

Windows Intune

InTune 141018

Windows Intune - Salcom Webinaari

Solve BYOD Nightmares with Intune

InTune 141206

BlackBerry Enterprise BRIDGE...3. The Enterprise BRIDGE app securely sends a copy of the file over an Intune protected channel to the Intune managed app (for example, Microsoft Word).

Customer Name - docs.citrix.com · Application management including MDX, Android Enterprise, Intune App Protection, Samsung KNOX, App Configuration, and more Business class mobile

Intune 2012

Microsoft Windows Intune? - Accomtec

Intune (MFA) Set Up

InTune 140927

Cloud – Intune

Cloud & intune